CSE 6203 Security Evaluation and Assessment Methodology

Document Content and Description Below

Answer to the Question No- 1(a) The security risk assessment team must understand the limitations of the interview process. Information gathered during an interview should be considered as a way to ... identify areas for further study. The interviewer can make mistakes through misinterpretation of the questions or the answers provided, or through misreporting what was said. Many security risk assessments are performed by teams with relatively little experience. In these situations, the likelihood that a question or the answer provided is misinterpreted is greatly increased. Even experienced information security professionals can misinterpret what is said by the interviewee. The interviewee can make mistakes as well. It is quite typical that the interviewee is unfamiliar with many of the terms used within the interview process, or the interviewee may have a different understanding of the question than the interviewer does. In these cases, the answer provided may not be accurate. Also, interviewers tend to be eager to please and will attempt to answer questions as much as they can. This process leads to guessing and “filling in the blanks.” Again, this can result in inaccurate answers. Answer to the Question No- 1(b) It is important to collect and retain the evidence for all data gathered during a security risk assessment. Evidence is used to support the claims made during the analysis portion of the security risk assessment process. Although this may sound like a lot of extra work, proper evidence collection and tracking does not place an undue burden on the project. Instead, collecting and tracking evidence properly can actually reduce the effort required to perform a security risk assessment. This evidence:  Is easy to do if you do it while you are gathering data.  Provides better data upon which to make judgments. It is easier to assess the value or certainty of data if you know how you got it, i.e., “Somebody said this,” as opposed to “We found this vulnerability.”  Provides a way to avoid arguments with the customer. Answer to the Question No- 1(C) Threat statement: “An employee may cause the release of sensitive information” Associated administrative controls: • Acceptable-use policy • Monitoring • Two-man control • Job rotation • Clearance refresh • Ethics training • Sanctions policy • Separation of duty • Job rotation • Termination procedures • Out-briefing [Show More]

Last updated: 1 year ago

Preview 1 out of 5 pages